After this week’s airport bomb attack in Moscow, Russian President Dmitry Medvedev declared that there was a “systemic failure to provide security.” That is difficult to dispute. But the claims of Domodedovo Airport’s spokesperson that “we fully met all the requirements in the sphere of air transport security for which we are responsible” was probably also correct. Yet ultimately, dozens of people are dead and dozens more wounded. So who is to blame? What’s wrong with the system? And are we in America also at risk?

In the United States, we divide security responsibility according to who performs the activity. For example, Transportation Security Administration personnel search carry-on bags at checkpoints, while airport law enforcement officers patrol the airport perimeter. TSA also requires that airports make public address announcements and not allow vehicles to park at the airport curb, and that airlines inspect aircraft food trays. Each activity costs money, so TSA requires only what it can justify, write down and audit.

But security that depends on an auditable checklist of written requirements is always going to be vulnerable to an enemy that can change the method of attack based on those regulations. Once TSA publishes what is required, three things happen: vulnerability is embedded where those measures are weak; the minimum required becomes the maximum undertaken by the security players; and the regulated party feels protected from blame because it did what was required. Unfortunately, in counter-terrorism, regulations alone are not enough.

When responsibility is finally determined in Russia, there probably will be a gap between what Domodedovo Airport was required to do and what it could have done to prevent the attack. But top-down rules allocate responsibility in slices, fragmenting responsibility, thereby eliminating any one party’s accountability in security’s overall outcome. A corollary vulnerability is that no government can issue regulations quickly enough to cover every conceivable angle of attack. Therefore, if compliance with set rules is our system, it is a system born to fail.

Post-9/11 security has done its job, but we must continue to adapt. To foil endlessly resourceful terrorists, we need to improve in three areas.

First, we need multiple layers of security deployed throughout the airport that are changing regularly and, to outsiders, seem unpredictable. Layers such as K-9 teams, random inspections and behavior detection agents, by their very randomness, prevent terrorists from identifying a security gap and exploiting it.

Second, ownership of the security result must be jointly shared. TSA, the airports, airlines, law enforcement, vendors and, yes, the traveling public all share responsibility for our security outcomes. The fear of blame within a security apparatus leads to bureaucratic inaction, which eventually leads to gaping security holes.

And last, we need active assessment and allocation of risk-management resources that balance what I call risk tradeoffs.

Effective security is, in fact, risk management. Our political leaders and security authorities make judgments about where to set the risk-management needle. They have chosen to take the minimum possible risk at airport passenger checkpoints, resulting in pat-downs and plastic bags. The needle registers a little more tolerance in the maintenance area, or so-called backside of airports, and more still in the public areas. But how much risk do we want to accept in these public areas? And how much more hassle can we take?

When we call for more security in public areas, we should be searching for a risk balance that protects us yet is sustainable.

The victims’ families in Russia, or anywhere, do not care about excuses from segments of security that each claim it did its job according to the rules. When responsibility is diffused in systemic failure, we may tweak procedures, assure ourselves that we have fixed the problem, while disregarding the truth that static security based on regulations isn’t enough. Risk management must be constantly assessed and depends on each of the participants accepting ownership and being actively involved in how resources are deployed.

Before we hear the words “systemic failure” again, we should take another look at regulation-based security and recognize that compliance with procedure is not enough when it comes to stopping terrorism threats.

Kip Hawley served as administrator of the U.S. Transportation Security Administration from 2005 until 2009.